v1.0.0

飞书语音回复

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:52 AM.

Analysis

The skill appears aligned with its stated purpose of making Feishu voice replies, with ordinary cautions about external TTS processing, local media tools, and minor documentation cleanup.

GuidanceThis skill looks reasonable for generating Feishu voice replies. Before installing, make sure you trust and have installed the needed edge-tts and ffmpeg tools, avoid using it for confidential text unless you are comfortable with TTS processing, and consider asking the publisher to clean up the merge markers and declare dependencies.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/build_feishu_voice.py

edge_tts = shutil.which("edge-tts")
ffmpeg = shutil.which("ffmpeg")
...
raise SystemExit("edge-tts not found in PATH")

The script depends on external command-line tools, while the registry metadata declares no required binaries. This is a transparency/setup issue, not hidden behavior.

User impactThe skill may fail unless the needed tools are installed, and users should ensure those tools come from trusted sources.

RecommendationDeclare edge-tts, ffmpeg, and optional ffprobe in the skill metadata or setup guidance, and recommend trusted installation sources.

Unexpected Code Execution

SeverityInfoConfidenceHighStatusNote

scripts/build_feishu_voice.py

proc = subprocess.run(cmd, capture_output=True, text=True)
...
run([edge_tts, "--voice", args.voice, "--text", text, "--write-media", str(mp3_path)])

The skill executes local media/TTS binaries. This is central to its stated purpose and uses argument lists rather than shell strings, so it appears proportionate.

User impactInstalling users should expect the skill to run local audio tools and create or overwrite the generated media files in the chosen output directory.

RecommendationKeep outputs in the documented workspace directory and avoid using untrusted or sensitive paths for the output directory.

Human-Agent Trust Exploitation

SeverityInfoConfidenceHighStatusNote

SKILL.md

<<<<<<< HEAD
=======
- **Emoji 自动过滤**：脚本会自动过滤 emoji 字符再合成 TTS...
>>>>>>> 8d2abf78b8490403831aae82052e8e107054b856

Unresolved merge markers and an inserted rule make the instructions less polished and could confuse users or agents about exact behavior.

User impactThe skill may still work, but users could misunderstand whether emoji filtering is actually implemented.

RecommendationRemove the merge-conflict markers and make the documented emoji behavior match the included script.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

SKILL.md

Use `scripts/build_feishu_voice.py` to synthesize Chinese speech with Edge TTS

The spoken reply text is provided to Edge TTS for synthesis. This external-provider data flow is disclosed and purpose-aligned, but users should treat the text as being processed outside the local skill code.

User impactIf the reply text contains private or confidential information, that content may be processed by the TTS provider and then saved locally as audio.

RecommendationAvoid synthesizing secrets or highly sensitive content, or add explicit user confirmation/privacy guidance before using TTS on sensitive text.